lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Aug 2007 19:12:49 +0200
From: Oliver Karow <>
To: "Steven M. Christey" <>
Subject: Re: n.runs, Sophos, German laws, and customer safety

Hi Steven,

even if i do not support the new anti hacker law in germany, i don't see
any important issue in the inconsistence between the n.runs advisory and
the vendors statement in respect of the new law.

The most important message for the average customer, who is not able to
understand the difference between a DoS and a code execution, is to
install latest vendor patches. 

And those customers who know the difference between this two kind of
vulnerabilities, are aware of the fact that there is a high risk that a
simple DoS might become a code execution if better exploited, and should
also install latest vendor patches (or put any other preventive measure
in place).

In my mind the most important effect of the law is, that it will be
punished if someone uses or provides tools that are able to
discover/proof the existence of such vulnerabilities... but that's
another story....



On Tue, 2007-08-28 at 13:00 -0400, Steven M. Christey wrote:
> The n.runs-SA-2007.027 advisory claims code execution through a UPX
> file.  This claim is inconsistent with the vendor's statement that
> it's only a "theoretical" DoS:
>   "A corrupt UPX file causes the virus engine to crash and Sophos
>   Anti-Virus to return 'unrecoverable error. leading to scanning being
>   terminated. It should not be a security threat although repeated
>   files could cause a denial of service."
> It is unfortunate that Germany's legal landscape prevents n.runs from
> providing conclusive evidence of their claim.  This directly affects
> Sophos customers who want to know whether it's "just a DoS" or not.
> Many in the research community know about n.runs and might believe
> their claim, but the typical customer does not know who they are
> (which is one reason why I think the Pwnies were a good idea).  So,
> many customers would be more likely to believe the vendor.  If the
> n.runs claim is true, then many customers might be less protected than
> they would if German laws did not have the chilling effect they are
> demonstrating.
> It should be noted that in 2000, a veritable Who's Who of computer
> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
> Levy, Alan Paller, and other well-known security professionals -
> published a statement of concern about the Council of Europe draft
> treaty on Crime in Cyberspace, which I believe was the predecessor to
> the legal changes that have been happening in Germany:
> Amongst many other things, this letter said:
>   "Signatory states passing legislation to implement the treaty may
>   endanger the security of their computer systems, because computer
>   users in those countries will not be able to adequately protect
>   their computer systems... legislation that criminalizes security
>   software development, distribution, and use is counter to that goal,
>   as it would adversely impact security practitioners, researchers,
>   and educators."
> If I recall correctly, we were assured by representatives that such an
> outcome would not occur.
> - Steve

Powered by blists - more mailing lists